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FOREWORD 


Fault  tree  analysis  provides  a  logical  method  for  graphically  presenting  the  chain 
of  events  leading  to  a  system  failure  One  result  of  its  application  to  a  system  is  a 
mathematical  model  suitable  for  determining  system  safety  and  reliability  from  the 
event  probabilities. 

This  handbook  is  an  adaption  of  Picatinny  Arsenal  Technical  Report  3822  “Fault 
Tree  Analysis”  prepared  by  Waldemar  F.  Larsen,  and  published  November  1968  Con¬ 
sequently,  many  of  the  examples  are  for  fuzes  and  safety  and  arming  devices  The 
techniques  discussed,  however,  are  applicable  to  any  system 

Since  the  Technical  Report  was  published  and  used,  some  refinements  of  the 
technique  have  been  made.  These  refinements  comprise 

a  A  clearer  distinction  between  a  failure  mode  and  a  failure  mechanism  as 
applied  to  fault  trees. 

b.  A  clearer  definition  of  some  fault  tree  symbols 

A  new  feature  of  this  handbook  is  a  different  approach  to  the  quantification  of  a 
fault  tree  anlaysis.  This  approach  uses  mathematical  apportionment  of  probabilities 
of  occurrence  of  components  given  a  required  end  item  probability  of  occurrence 


1 


CONTENTS 


Page  No. 

Objectives  1 

Abstract  1 

Introduction  2 

List  Successful  Events  and  Requirements  2 

Block  Diagrams  3 

Safety  Fault  Trees  3 

Fault  Tree  Construction  4 

Failure  Modes  and  Failure  Mechanisms  6 

Basic  Events  7 

Use  of  Boolean  Algebra  7 

Simplification  of  the  Analysis  7 

Examples  of  Simple  Fault  Trees  8 

The  Probability  of  Final  Event  Occurrences  13 

Sensitivity  Rating  14 

Various  Means  for  Selecting  Event  Probabilities  21 

Gross  Life  Cycle  Probabilities  37 

Caution  in  Using  Repeat  Events  38 

Reliability  Fault  Trees  40 

Relation  Between  Successful  Events  and  Fault  Trees  40 

Fault  Tree  Analysis  for  Safety  and  Arming  Device,  XM8 1 3  43 

Description  of  XM8 1 3  S&A  Device  43 

Sequence  of  Successful  Events  43 

Safety  Requirements  48 

XM8 13  Safety  Fault  Tree  Analysis  48 

Safety  Apportionment  —  XM813  Fuze  Armed  and  Detonator  Fires 

Prematurely  in  Gun  Tube  5 1 

XM813  Fuze  Prematures  Warhead  at  Unsafe  Distance  63 

XM813  Reliability  Fault  Tree  Analysis  65 


li 


Distribution  List 


68 


Tables 

1  Fault  tree  symbols  5 

2  Fundamental  equations  of  Boolean  Algebra  8 

3  Complete  set  of  safety  fault  trees  36 

4  Failure  mode  safety  apportionment  allowed  failures/million  60 

Figures 

1  Warhead  safety  fault  tree  1 1 

2  Detonator  prematures  fault  tree  12 

3  Sensitivity  rating  through  OR  gate  fault  tree  15 

4  Sensitivity  rating  graph  through  an  OR  gate  17 

5  Sensitivity  rating  through  AND  gate  fault  tree  18 

6  Sensitivity  rating  graph  through  an  AND  gate  20 

7  Parallel  system  —  apportionment  through  an  AND  gate  28 

8  Series  system  apportionment  through  an  OR  gate  3 1 

9  All  OR  gate  events  equally  liekly  33 

10  XM8 1 3  S&A  device  mounting  plate  assembly  44 

11  XM8 13  Schematic  45 

1 2  Safety  fault  tree  49 

13  XM8 13  Sensitivity  ratio  55 

14  Safety  fault  tree  64 

1 5  Reliability  fault  tree  66 


OBJECTIVES 


lo  present  a  method  for  analyzing  safety  and  reliability  problems  through  the  use 
of  fault  trees. 

To  present  the  use  of  Boolean  Algebra  to  solve  the  probability  combinations  of 
the  fault  tree. 

To  present  numerical  methods  to  quantify  the  fault  tree  analysis. 

To  present  illustrations  of  fault  tree  analyses. 


ABSTRACT 

This  report  describes  the  procedure  to  be  used  for  constructing  fault  trees,  the 
application  of  Boolean  Algebra  and  the  use  of  probability  values  in  the  final  algebraic 
expressions. 

While  not  the  only  method  which  can  be  used,  the  fault  tree  technique  is  considered 
to  be  a  very  effective  analytical  tool  in  assessing  system  safety. 


This  report  supersedes  Picatinny  Arsenal  Technical  Report  3822. 


INTRODUCTION 


The  Greek  philosopher,  Aristotle,  about  330  B.  C.  made  a  proposition  that  a 
logical  statement  is  either  true  or  false,  but  never  partially  true  or  false. 

Over  100  years  ago,  in  his  book  entitled  “An  Investigation  of  the  Laws  of 
Though ts,”  published  in  London  in  1854,  George  Boole  developed  a  mathematical 
system  involving  logic.  This  system  is  now  called  Boolean  Algebra.  Unlike  ordinary 
algebra  variables  which  can  assume  an  infinite  number  of  values,  Boolean  Algebra 
variables  can  assume  only  one  of  two  different  values. 

In  the  middle  1950’s  Bell  Telephone  Laboratories  started  developing  the  fault 
tree  concept  by  constructing  a  logic  diagram  using  Aristotle’s  proposition  and  Boolean 
Algebra  to  express  the  number  of  different  events  which  lead  to  an  undesired  end 
event.  In  1962  Bell  published  a  report  on  the  Minuteman  Launch  Control  System 
Safety  using  the  fault  tree  analysis. 

Since  that  time  fault  trees  have  been  used  to  analyze  both  safety  and  reliability 
of  systems  whether  simple  or  highly  complex. 

A  fault  tree  is  a  logic  diagram  based  on  statements  which  are  either  true  or  false, 
on  or  off,  open  or  closed,  good  or  bad,  present  or  absent,  etc. 

The  fault  tree  serves  to  identify  the  events  on  an  AND/OR  basis  that  contributes 
to  a  given  final  event.  The  Boolean  Algebra  is  used  to  express  the  number  of  different 
events  (single  or  combined)  which  lead  to  the  end  event. 

While  not  the  only  method  of  analysis,  fault  tree  analysis  has  been  recognized  as 
a  powerful  analytical  tool.  For  this  reason  it  is  hoped  that  this  handbook  will  acquaint 
its  readers  with  a  working  knowledge  of  fault  tree  analysis. 


LIST  SUCCESSFUL  EVENTS  AND  REQUIREMENTS 

Before  starting  a  fault  tree  analysis  it  is  absolutely  essential  that  the  system  to  be 
analyzed  is  thoroughly  understood  by  the  analyst.  One  of  the  best  ways  of  assuring 
that  the  functioning  of  the  system  is  understood  is  to  list  in  chronological  order  the 
sequence  of  events  leading  to  success.  This  list  should  be  complete,  omitting  no  part 
of  the  operation. 
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A  listing  ol  (he  performance  or  safety  requirements  should  complement  the 
sequence  ol  successful  events.  Both  of  these  lists  will  give  a  full  understanding  of  the 
proper  functioning  and  the  necessary  requirements  for  use  in  making  a  systematic 
failure  analysis. 

t 

BLOCK  DIAGRAMS 

The  sequence  of  successful  events  list  is  given  in  narrative  form.  From  this  list, 
a  block  diagram  for  successful  events  is  made.  Within  each  block  is  given  the  terse 
description  of  one  event.  The  description  will  consist  of  a  subject,  a  verb  and  some¬ 
times  an  object. 

The  blocks  will  be  joined  together  in  series  or  parallel  or  a  combination  of  the 
two  according  to  the  functioning  of  the  system. 

The  method  of  constructing  a  block  diagram  is  best  understood  by  studying  the 
diagrams  of  the  examples  given  on  pages  44  through  68. 


SAFETY  FAULT  TREES 

A  safety  fault  tree  identifies  the  various  sequence  of  events  that  will  result  in  an 
item  malfunction  which  endangers  friendly  personnel  and/or  material 

Before  drawing  a  fault  tree,  select  the  malfunction  (safety  or  reliability)  to  be 
investigated.  An  item  may  fail  in  several  different  ways,  so  it  is  essential  that  a  fault 
tree  clearly  state  the  situation  under  investigation.  For  example,  a  fuze  may  detonate 
prematurely,  usually  the  most  serious  case,  or  the  munition  may  leak  explosive,  creating 
a  fire  hazard.  Regarding  reliability,  the  munition  may  be  a  dud,  miss  the  target,  or 
function  at  the  wrong  time. 

Bach  of  the  different  ways ^iHtem^mav  fml^ jijjlifferent  configurations,  or 
different  phases  of  the  life  cyrfe  may  r  eqii i re* a'separat e^fault  tree. 


While  these  fault  trees  may  be  similar,  they  will  vary  in  the  significant  contributing 
events,  and  it  is  these  variations  which  make  the  fault  tree  analysis  such  a  powerful 
tool. 


To  emphasize  this  very  important  point,  consider  (a)  a  fuze  prematures  prior  to 
assembly  to  the  warhead  (b)  a  fuze  prematures  the  warhead  in  the  launcher  versus 
(c)  a  fuze  prematures  the  warhead  at  unsafe  short  distance  downrange. 
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For  situation  (b)  (premature  in  launcher)  one  branch  of  the  fault  tree  states  that 
the  rotor  must  be  prearmed,  which  aligns  the  explosive  train,  while  the  other  branch 
states  that  the  detonator  must  fire  prematurely  with  the  most  likely  cause  being  a 
short  circuit  to  the  detonator  so  that  when  the  missile  battery  is  activated,  the  “blow” 
is  immediate. 

For  situation  (c)  (premature  at  unsafe  short  distance)  in  addition  to  the  prearmed 
rotor  as  above,  that  branch  of  the  fault  tree  would  show  that  a  “short  time”  arming  of 
rotor  would  be  another  contributing  event.  The  other  branch  shows  that  the 
detonator  must  fire  prematurely  with  the  most  likely  causes  being  a  foreign  conductor 
between  the  inner  and  outer  ogive  of  the  nose  crush  switch  giving  a  delayed  short 
circuit,  or  that  the  missile  strikes  an  obstacle. 

The  important  difference  between  situation  (b)  and  situation  (c)  is  the  kind  and 
the  timing  of  the  events. 

The  following  examples  of  situations  are  given  for  guidance: 

Safety 

Fuze  prematurely  detonates  rocket  in  launcher 

Fuze  prematurely  detonates  rocket  before  minimum  safe  distance  downrange 

Fuze  prematurely  anus  during  transportation,  and/or  rough  handling 

(See  page  37  for  life  cycle  situations). 

Reliability 

Fuze  malfunctions  at  target  impact 

Fuze  malfunctions  at  graze  encounter 

Fuze  does  not  self-destruct  missile 

Fault  Tree  Construction 

Conventional  symbols  have  been  established  for  constructing  a  fault  tree.  These 
symbols  are  listed  in  Table  1 . 
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Table  1 

Fault  tree  symbols 


A  logical  AND  relation.  (An  AND  gate.) 


A  logical  OR  relation.  (An  OR  gate). 


An  event,  usually  undesirable,  which  is  dependent 
upon  a  logically  related  set  of  sub-events.  (A  box) 


An  event  which  is  usually  a  basic  event  or 
primary  failure  mode.  (A  circle) 


An  event  where  analysis  stopped.  Further 
knowledge  lacking  or  considered  inconsequential. 
(A  diamond) 


> 


An  event  that  is  normally  expected  to  occur. 

(A  house) 

_ J 

A  repeat  symbol  indicating  that  the  subset  of  functions 
influences  more  than  one  part  of  the  tree  within  the  same 
major  branch.  It  is  represented  by  the  symbol  Y  with  a 
numerical  subscript.  (A  triangle) 

A  repeat  symbol  indicating  that  the  subset  of  functions 
influences  another  part  of  the  tree  in  a  different  major 
branch.  It  is  represented  by  the  symbol  Z  with  a  numerical 
subscript.  (A  hexagon) 


) 


A  symbol  applied  to  gates  or  events  to  record  conditional  or 
restrictive  information  concerning  the  symbol  to  which  it  is 
attached.  (A  flag) 
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Branches  end  with  one  of 
these  symbols  (or  a  repeat 
symbol) 


(Kites  ;ire  given  numbers. 

livenlsjre  given  capital  letters  A  through  X. 

I  he  letters  V  ;nul  /  ure  not  used  because  they  are  used  within  the  triangle  and  hexagon 
symbols.  When  there  are  more  events  than  capital  letters  start  over  again  using  numerical 
subscripts  (A  j  through  X{ ,  A7  through  X2). 

Having  determined  the  various  possible  end  events  and  selected  the  order  in  which 
they  will  be  considered,  one  is  ready  to  start  drawing  the  first  fault  tree. 

To  construct  a  fault  tree  it  is  suggested  that  a  large  piece  of  paper  be  obtained  and  that 
the  first  drawing  of  the  fault  tree  be  prepared  freehand.  Later  it  should  be  prepared  in 
final  form.  Start  at  the  top  of  the  sheet  and  in  the  center  draw  a  rectangle  to  represent 
the  final  event,  usually  a  malfunction.  Next  draw  a  line  down  from  the  A  box  to  an 
AND  or  an  OR  gate  depending  on  the  circumstances.  From  the  gate  draw  lines  down 
to  the  contributing  events.  Proceed  in  this  manner  until  the  branches  reach  a  basic 
event  or  a  primary  failure  mode  or  until  it  is  needless  to  carry  the  analysis  further. 

Remember  that  to  construct  the  fault  tree  start  at  the  top  and  work  down 
through  the  various  branches. 

Failure  Modes  and  Failure  Mechanisms 

Ideally,  branches  of  a  fault  tree  should  end  at  a  failure  mode  or  a  basic  event.  It 
is  important  to  note  the  difference  between  a  failure  mode  and  a  failure  mechanism. 

A  failure  mode  is  a  type  of  failure  while  a  failure  mechanism  is  the  cause  of  the 
failure.  For  example,  the  breaking  of  a  gear  tooth  is  a  failure  mode.  The  failure 
mechanism  for  the  gear  tooth  breaking  may  be  fatigue  of  metal  initiated  by  a  stress 
raiser  resulting  from  grinding  marks,  inclusions,  improper  heat  treatment  and  so  on, 
or  the  gear  tooth  could  break  from  a  high  impact  load  of  from  something  jamming 
the  gear  train.  All  of  these  reasons  are  failure  mechanisms,  but  the  failure  mode  is 
simply  the  breaking  of  the  gear  tooth. 

Another  example  of  a  failure  mode  would  be  an  electric  detonator  not  shorted 
when  in  fact  it  should  be  shorted. 

For  this,  the  failure  mechanisms  would  be  (a)  shorting  bar  damaged  or  broken 
(b)  improper  soldering  or  (c)  shorting  bar  missing. 

To  reiterate,  fault  tree  branches  are  taken  down  to  failure  modes,  but  not  to 
failure  mechanisms.  Once  the  failure  mode  has  been  identified  on  the  fault  tree  a 
separate  analysis  should  be  made  of  the  failure  mechanism  so  proper  safeguards  can 
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be  taken  during  manufacturing,  assembling,  inspection  and  testing  to  eliminate  the 
failure  cause. 

Basic  Events 

As  mentioned  above, a  branch  of  the  fault  tree  can  end  at  a  basic  event  which  is 
not  a  failure  mode.  A  basic  event  can  be  either  of  a  normal  or  an  abnormal  nature. 

A  normal  basic  event  is  an  event  which  will  happen  every  time  the  item  is  activated, 
such  as  a  setback  force  or  a  missile  battery  activated  or  missile  vibrations.  These 
normally  expected  events  would  be  placed  within  a  “house”  symbol. 

An  abnormal  basic  event  can  happen  unexpectedly  such  as  shock  loading,  static 
electricity,  thermal  or  radio  frequency  initiation,  or  the  missile  striking  an  obstacle, 
etc.  These  abnormal  basic  events  can  be  placed  within  the  “circle”  or  “diamond” 
symbols  depending  upon  the  knowledge  of  the  event. 

Use  of  Boolean  Algebra 

Logic  or  Boolean  Algebra  is  a  fitting  companion  to  the  recently  developed  fault 
tree  analysis.  There  are  certain  conventional  symbols  used  in  Boolean  Algebra  which 
are: 


1  =  True 

0  =  False 

a,  b,  c,  =  Conditions  or  events 

a'  =  “a”  Prime  meaning  NOT  a  If  a  =  1  then  a'  =  0 

b'  =  “b”  Prime  meaning  NOT  b  If  b  =  1  then  b'  =  0 

The  basic  relationships  of  Boolean  Algebra  are  given  in  Table  2. 

To  analyze  a  fault  tree  by  the  use  of  Boolean  Algebra  start  at  the  bottom  of  one  of 
the  branches  and  work  up.  Combine  the  individual  events  at  the  bottom  according  to 
whether  they  are  connected  by  an  AND  gate  or  an  OR  gate.  The  AND  gate  combines 
the  events  by  the  (  *  )  symbol  and  the  OR  gate  combines  the  events  by  the  (  +  )  symbol. 
This  procedure  will  be  demonstrated  in  the  examples  on  page  44  through  68. 

Simplification  of  the  Analysis 

There  are  several  techniques  that  can  be  used  which  will  make  the  construction  and 
the  analysis  of  a  fault  tree  simpler. 

a.  If  the  same  contributing  event  occurs  in  two  or  more  branches  use  the  same 
identifying  letter. 
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Table  2 

Fundamental  equations  of  Boolean  Algebra 

+  =  OR 
■  =  AND 


(Elementary  Propositions) 
Code  Equation 

I  a'  =  0 

II  a  =  1 


Switch  Analogy 

0 

— CN^”’ — 

i 

- o - ►o - 


III 


IV 


V 


VI 

VII 


VIII 


IX 


a  +  a  =  a 


a. a  =  a 


(Associative  Law) 
X  ( a+b ) +c  = 

=  a+(b+c) 


a+b+c 
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XI 


a. (be)  =  b.(ac)  =  c.(ab) 


(Commutative  Law) 

XII  a  +  b  =  b  +  a 


XIII  a.b  =  b.a 
(Distributive  Law) 

XIV  a. (b+c )  =  ab  +  ac 


XV  a  +  be  =  ( a+b ) . ( a+c ) 


Interpretation  of  Equations.  Code  XIV  example.  The  (  +  =  OR)  symbol  indi¬ 
cates  a  parallel  circuit,  while  the  (.  =  AND)  symbol  indicates  a  series 
circuit.  The  left  hand  circuit  a. (b+c)  shows  that  switch  a  AND  either 
switch  b  OR  c  when  closed  would  permit  flow.  The  right  hand  circuit  where 
a  is  a  double  pole,  single  throw  switch  would  permit  flow  when  switches  a 
AND  b,  OR  a  AND  c  are  closed. 
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b.  Where  a  sequence  of  events  occur  in  various  branches  of  the  fault  tree  after 
having  been  shown  once  for  one  branch  they  can  be  identified  in  other  branches  by  the 
symbols 


or 


etc,  depending  on  the  circumstances.  By  the  use  of  these  repeat  symbols  both  the  con¬ 
struction  and  the  analysis  are  simplified. 

Examples  of  Simple  Fault  Trees 

The  introduction  to  the  construction  and  analysis  of  fault  trees  is  shown  in  two 
simple  examples,  Figures  1  and  2. 

Figure  1  shows  a  warhead  safety  fault  tree.  Event  A  is  the  premature  detonation 
of  a  warhead.  OR  gate  #1  indicates  that  event  A  could  be  caused  by  events  B,  C,  or 
D. 

Event  B,  “Shock  Initiation”  and  event  C,  “Thermal  Initiation”  were  placed  within 
the  diamond  symbols  because  further  knowledge  was  lacking.  Event  D,  “Fuze  Initiates 
Warhead”  was  placed  in  a  rectangle  because  it  is  known  that  this  event  can  be  caused  by 
other  contributing  events.  Event  D  is  followed  by  the  #2.  AND  gate  because  event  E 
AND  event  F  must  happen  simultaneously  or  event  F  must  happen  after  event  E  to  make 
event  D  occur.  Events  E  and  F  are  followed  by  the  proper  gates  according  to  the 
knowledge  of  the  system. 

Still  referring  to  Figure  1  a  Boolean  Algebra  analysis  is  performed.  Start  at 


Gate  (2) 

(2)  =  EF  (meaning  E  AND  F) 

D  =  (2)=EF 

(1)  =  B  +  C  +  D  (meaning  B  or  C  or  D) 

A  =  (1)  =  B  +  C  +  (2) 

A  =  B  +  C  +  E  F 

Simply  stated  the  resulting  formula  says  that  event  A  can  be  caused  by  event  B, 
OR  event  C,  OR  events  E  AND  F. 
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(a.)  RELATIONSHIP  BETWEEN  THESE  TWO  EVENTS,  IF  ANY,  WAS  NOT  EXPLORED. 

(b. )  "ALIGNMENT"  APPLIES  TO  ANY  POSITION  WHICH  PERMITS  PROPOGATION  FROM  ONE 
EXPLOSIVE  ELEMENT  TO  THE  NEXT. 

( c . )  "AFTER"  IMPLIES  A  TIME  ELEMENT  VARYING  FROM  A  FRACTION  OF  A  SECOND  TO 
MANY  HOURS. 


Fig  1  Warhead  safety  fault  tree 
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Noxl  ivl'or  to  Figure  2  which  shows  an  electrical  detonator  premature  fault  tree.  Two 
different  symbols  are  used  here;  event  I  ,  “Battery  Activated”  which  is  a  normal  basic 
event  placed  in  a  “house”  and  event  Cl,  “Switch  bails.  Closed”  and  event  11,  "Short  CircuiT' 
which  are  primary  modes  of  failure  placed  in  "circles.” 

The  analysis  for  this  fault  tree  starts  at  Gate  3. 


(3)  =  G 
(2)  =  F 
F 

E  =  (2) 
A  =  (1) 


+  H 

•  (3) 

•  (G  +  H)  =  FG  +  FH 

=  B  +  C  +  D  +  E 

=  B  +  C  +  D  +  (2) 

=  B  +  C  +  D  +  F-  (G  +  H) 

=  B  +  C  +  D  +  FG  +  FH 


This  formula  says  that  event  A  can  be  caused  by  events  B,  OR  C,  OR  D,  OR  F  AND 
G,  OR  F  AND  H.  In  other  words,  an  electrical  detonator  can  premature  because  of  severe 
shock,  OR  external  heat,  OR  radio  frequency,  OR  battery  activated  AND  switch  fails  in 
the  closed  position,  OR  battery  activated  AND  a  short  circuit. 

The  Probability  of  Final  Event  Occurrences 

The  Boolean  Algebra  equation,  A  =  B  +  C  +  D  +  F(G  +  H)  from  Figure  2, 
expresses  the  single  events  or  combination  of  events  which  could  cause  the  final  event 
“Detonator  Prematures.”  Assuming  that  the  probability  value  for  each  contributing  event 
is  known,  it  is  not  mathematically  correct  to  directly  substitute  these  directly  into  the  above 
equation. 

For  two  independent  events,  such  as  B  and  C,  which  are  not  mutually  exclusive  where 
either  one  or  the  other  or  both  can  occur,  the  Final  probability  is  expressed  as: 

P  =  P  +  P  —  P 

rA  rB  rC  rBC 

This  means  that  the  probability  of  A  equals  the  probability  of  B  plus  the  probability  C 
minus  the  probability  of  B  and  C  occurring  at  the  same  time. 

It  very  often  happens  that  the  probability  of  occurrence  is  not  known  and  other  means 
must  be  used  to  determine  a  probability  value.  This  value  can  always  be  subject  to  question. 


The  product  of  probabilities  has  very  little  effect  on  the  primary  additive  terms  The 
fact  that  the  selected  values  in  many  cases  are  not  the  actual  values  makes  the  added  work 
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of  being  mathematically  correct  unwarranted.  Therefore,  in  making  a  safety  analysis,  the 
selected  values  will  be  substituted  directly  into  the  Boolean  Algebra  equation.  Besides 
simplifying  the  work,  the  method  used  will  give  more  pessimistic  results  than  if  the  strictly 
correct  mathematical  method  were  followed. 

Sensitivity  Rating 

After  constructing  a  fault  tree,  one  benefit  which  can  be  derived  from  it  is  to  identify 
those  input  events  which  would  have  the  most  influence  on  the  output  fault.  A  visual 
inspection  of  the  fault  tree  may  not  reveal  the  important  input  faults,  but  a  simple  cal¬ 
culation  and  the  plotting  of  a  graph  can  quickly  show  the  relative  sensitivity  of  the  various 
inputs. 

The  steps  to  be  taken  in  making  the  sensitivity  rating  calculation  are: 

1 .  Write  the  Boolean  Algebra  expression  in  the  simplest  form. 

2.  Substitute  in  the  Boolean  formula  the  probability  value  of  0.1  for  each  input 
event  and  solve  to  determine  the  probability  value  of  the  output  fault. 

3.  Select  a  higher  probability  value  (say  0.2,  0.5  or  1.0)  and  substitute  this  value 
for  one  input  event,  holding  the  other  input  events  at  0. 1  and  solve  for  a  new  output  fault 
probability  value. 

4.  After  doing  step  3  for  each  input  fault  arrange  the  events  in  tabular  form  in 
descending  order. 

5.  Divide  the  new  output  fault  values  by  the  output  fault  value  with  all  inputs  set  at 
0.1.  This  is  called  the  Sensitivity  Ratio. 

6.  The  Sensitivity  Rating  is  the  quotient  of  the  Sensitivity  Ratio.  This  rating  has  no 
intrinsic  value  since  the  rating  values  change  with  the  higher  probability  number  chosen. 
However,  the  ratings  do  show  the  relative  influence  on  the  output  fault. 

7.  Plot  the  probability  of  output  fault  values  versus  the  probability  of  the  input 
fault  values.  This  will  graphically  display  the  sensitivity  of  the  various  input  faults. 

Two  sample  calculations  follow,  one  for  a  fault  tree  with  an  OR  gate  feeding  into  the 
final  event  and  the  second  for  a  fault  tree  with  an  AND  gate. 
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Fig  3  Sensitivity  rating  through  OR  gate  fault  tree 
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Thru  OR  Gate 


P  -  A  +  B  (C  +  D)  +  E  F  C.  +  H  (1  +  JK) 

P  =  A  +  BC  +  BD  +  EFG  +  HI  +  HJK 
Set  all  probabilities  at  .1 

P  =  .1  +  .01  +  .01  +  .001  +  .01  +  .001  =  .132 
Set  each  event  at  .5  -  one  at  a  time 


Events  changed 

A 

= 

.5 

+ 

.01 

+ 

.01 

+ 

.001 

+ 

.01 

+ 

B 

= 

.1 

+ 

.05 

+ 

.05 

+ 

.001 

+ 

.01 

+ 

C  or 

D 

= 

.1 

+ 

.05 

+ 

.01 

+ 

.001 

+ 

.01 

+ 

E,F,  or 

G 

= 

.1 

+ 

.01 

+ 

.01 

+ 

.005 

+ 

.01 

+ 

H 

= 

.1 

+ 

.01 

+ 

.01 

+ 

.001 

+ 

.05 

+ 

1 

= 

.1 

+ 

.01 

+ 

.01 

+ 

.001 

+ 

.01 

+ 

Jor 

K 

= 

.1 

+ 

.01 

+ 

.01 

+ 

.001 

+ 

.01 

+ 

Probability  of  output  fault 


.001 

= 

.532 

.001 

= 

.212 

.001 

= 

.172 

.001 

= 

.136 

.005 

= 

.176 

005 

= 

.172 

.005 

= 

.136 

Event 


Sensitivity  ratio 


Sensitivity  rating 


A  .532 

B  .212 

H  .176 

C,D,I  .172 

E,F,G,J,K  .136 


f  .132  4.03 

”  1.61 

”  1 .33 

1.30 

”  1.03 


Rot  Graph 


Fig  4  Sensitivity  rating  graph  through  an  OR  gate 
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OUTPUT 

FAULT 

AND 


Fig  5  Sensitivity  rating  through  AND  gate  fault  tree 


Thru  AND  gate 


I’  =  (  [a+b]  M  +  [e+F  CD)  •  (  [g+h][j+K+i]  ) 

P  =  (AM+BM+C'DE+CDF)  (GJ+GK+GL+HJ+HK+HL) 


Set  all  probabilities  at  .1 

P  =  (.01+.01+.001+.001)  •  (.01+.01+.01+.01+.01+.01)  =  00132 


Set  each  event  at  1.0-  one  at  a  time 


Probability  of  output  fault 


M 

=  (.1  +.1  +.001  +.001 )  (.06) 

= 

.01212 

G 

or  H 

=  (.022)  (.1  +.1  +.1+.01  +.01 +.01 ) 

= 

.00726 

A 

or  B 

=  (.1 +.01 +.001 +.001)  (.06) 

= 

.00672 

J,  K 

or  L 

=  (.022)  (.1 +.01 +.01 +  .1 +.01 +.01) 

= 

.00528 

C 

or  D 

=  (.01 +.01 +.01 +.01)  (.06) 

= 

.00240 

H 

or  F 

=  (.01 +.01 +.01 +.001)  (.06) 

= 

.00186 

Event 

Sensitivity  ratio 

Sensitivity  rating 

M 

.01 21  2-r.00132 

9.2 

G,H 

.00726 

5.5 

A,B 

.00672 

5.1 

J,K,L 

.00528 

4.0 

C,D 

.00240 

1.82 

E,F 

.00186 

1.41 

Rot  Graph 
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Fig  6  Sensitivity  rating  graph  through  an  AND  gate 
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Various  Means  for  Selecting  Event  Probabilities 
Engineering  Judgment 

In  the  absence  of  actual  probability  values  for  contributing  failure  modes  or 
basic  events,  the  next  most  natural  thing  to  do  is  to  select  probabilities  based  on 
engineering  judgment.  This  judgment  may  be  based  on  knowledge  or  experience  on  a 
similar,  but  not  exactly  alike,  item  or  situation.  This  has  some  validity.  On  the  other  hand, 
without  prior  knowledge  the  selection  may  have  to  be  made  by  intuition  or  guess  work. 
This  is  the  poorest  method. 

To  make  sure  that  there  is  some  semblance  of  uniformity  in  selecting  the  probability 
of  occurrence,  the  following  table  is  given  as  a  guide: 

Low  probability  =  one  malfunction  in  one  or  more  million  tests. 

EMra',":  ,,mooo  ■  000000833 

Average  probability  =  one  malfunction  in  one  hundred  thousand  tests,  more  or  less. 

Example:  — jo5000 - =  00000952 

High  probability  =  one  or  more  malfunctions  in  ten  thousand  tests. 

Examp,e;  Tom- =  0089 

Normal  occurring  event  =  1 .0 

Example:  Battery  activated  normally 
Launch  shock  (setback) 

By  referring  to  Figure  2  we  find  six  events  which  contribute  to  event  A,  the  pre¬ 
maturing  of  an  electric  detonator.  The  Boolean  algebraic  expression  already  derived  is: 

A  =  B  +  C  +  D  +  F  (G  +  H) 


Engineering  Judgment 

B  *  Severe  shock  (low)  =  .000001  =  1/1,000,000 
C  =  External  heat  (average)  =  .00001  =  1/100,000 
D=  Radio  frequency  (low)  =  .000001  -  1/1,000,000 
F  =  Battery  activated  (normal)  =  1.0  =  1 
G=  Switch  fails,  closed  (average)  =  00002  =  1/50,000 
H=  Short  circuit  (high)  =  .0001  =  1/10,000 

A  =  .000001  +  .00001  +  .000001  +  1.0  (.00002  +  .0001) 

=  .000132 

7575 
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This  means  that,  on  the  basis  of  the  hypothetical  figures,  the  electrical  detonator 
could  premature  once  in  7575  times. 

A  careful  study  shows  the  influence  that  a  normal  occurring  event  and  a  high  prob¬ 
ability  value  event  have  on  the  final  event. 

Safety  Apportionment,  General 

A  catastrophic  accident  is  never  wanted  but  they  can  and  do  occur.  It  has 
become  a  practice  to  set  a  safety  goal  for  each  item  which  should  be  met  or  exceeded. 

For  example,  a  safety  goal  may  be  not  more  than  one  accident  in  three  million  shots. 

The  safety  failure  rate  would  then  be  expressed  as  1 _  =  0000003333 

3,000,000 

Through  Boolean  algebra  a  mathematical  model  is  derived  for  a  particular  fault  tree 
which  in  turn  yields  equations  for  the  various  branches  of  the  tree.  If  every  event  prob¬ 
ability  were  known  and  put  into  the  mathematical  model  the  final  event  probability 
would  be  determined.  Conversely,  if  the  final  event  probability  or  safety  goal  has  been 
established  then  the  mathematical  process  can  be  reversed  and  the  individual  event  prob¬ 
abilities  determined.  This  reversing  process  is  called  apportionment.  When  the  individual 
event  probabilities  are  not  equal,  the  problem  of  apportionment  has  an  infinite  number  of 
solutions  assuming  no  restrictions  on  the  apportionment.  Only  when  restrictions  or 
relationships  between  the  individual  event  probabilities  have  been  established  can  a  finite 
solution  be  made.  From  this  point,  trade-offs  between  individual  event  probabilities  can 
be  made.  Because  of  certain  constraints  such  as  component  costs,  weights,  or  reliabilities, 
there  will  be  some  individual  event  allowable  probabilities  which  cannot  be  readily  varied. 
The  mathematical  techniques  used  to  find  the  best  combination  vary  in  sophistication 
from  trial  and  error  to  dynamic  programing. 

When  event  probabilities  have  been  set  through  safety  apportionment,  it  is  being 
stated  that  an  event  must  not  happen  more  frequently  than  indicated.  These  are  allowed 
probabilities  for  a  given  situation.  A  decision  must  be  made  whether  or  not  a  particular 
component  can  meet  the  assigned  probability.  If  it  is  a  critical  component,  that  is,  one 
that  has  a  high  influence  on  the  output  probability  of  the  end  event,  it  will  be  necessary  to 
exercise  special  care  in  manufacture,  assembly,  inspection  and  testing  of  the  item.  Even 
after  this,  if  the  component  still  has  a  poor  chance  of  meeting  the  assigned  probability 
the  design  should  be  changed. 

The  various  situations  under  which  a  safety  apportionment  can  be  made  will  be  dis¬ 
cussed  in  the  following  paragraph.  Having  made  several  apportionments  the  safety 
engineer  must  then  decide  on  a  final  set  of  event  probabilities. 
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The  sample  calculations  which  follow  are  for  very  simple  situations.  However,  the 
principles  involved  can  be  used  in  more  complex  fault  trees.  To  show  how  this  is  done 
see  the  XM813  analysis  beginning  on  page  44  .  Some  variations  illustrated  there  are: 

a.  Both  branches  and  modes  within  branches  equally  likely. 

b.  All  major  events  equally  likely,  some  failure  modes  adjusted. 

c.  Branches  unequal  and  failure  modes  adjusted. 


Safety  Apportionment  —  Fundamental  Methods 

Before  investigating  the  various  methods  of  making  a  Safety  Apportionment,  a 
review  of  some  established  fundamental  methods  would  be  in  order.  This  can  best  be 
done  by  reviewing  the  mathematics  used  in  determining  system  reliability. 

The  reliability  of  a  series  system  is  the  product  of  the  true  reliabilities  of  the  subsystems, 
i.e.,  Rs  =  R.  xR,  xR,....xR 

1  L  J  n 

If  each  subsystem  has  the  same  reliability  then: 

Rs  =  R.,  x  R., . x  Rin  =  R.n 

il  i  L  in  i 


Conversely,  apportionment  is  the  determination  of  the  subsystem  reliabilities  when  the 
required  system  reliability  (Rs)  is  given.  If  each  individual  subsystem  has  the  same  reliability 
then:  =  n^/Rs 


Example:  Given  Rs  =  .98  for  3  equal  subsystems  in  series. 
R(  =  \/  .98  =  .9933 

Check: 


.9933 


.9933 


.9933 


..98 


When  the  subsystem  reliabilities  are  not  equal  the  problem  of  apportionment  given  an 
overall  series  system  reliability  has  an  infinite  number  of  solutions  assuming  no  restrictions 
on  the  apportionment.  Only  when  restrictions  or  relationships  between  the  individual 
subsystems  have  been  established  can  a  finite  solution  be  made. 


Failure  Rates  Unknown  —  Complexity  or  Relative  Likelihood  Apportionment 
Method  —  Series  System 

Very  often  the  exact  failure  rate  of  a  mechanical  mechanism  is  not  known. 
However,  within  a  system  the  likelihood  of  a  failure  of  an  individual  subsystem  in  relation 
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to  other  subsystems  may  be  known  or  assumed.  Sometimes  this  relative  likelihood  is 
ealled  complexity.  The  assumption  of  complexity  may  be  based  on  several  different 
faetors.  These  factors  could  be: 

a.  Number  of  components  making  up  the  subsystem 

b.  Difficulty  of  manufacturing  the  subsystem 

c.  Difficulty  of  inspecting  the  subsystem 

d.  Cost  of  the  subsystem 

A  method  has  been  developed  which  uses  an  index  of  the  complexity  numbers  as 
“powers”  of  the  system  reliability  (Rs).  The  sum  of  the  indexes  must  equal  one.  This 
method  is  best  illustrated  by  an  example:  It  is  desired  to  apportion  reliabilities  to  three 
(3)  subsystems  so  that  the  total  system  has  a  true  reliability  of  .98  probability  of  success. 


Assume  that  “c”  is  the  most  complex  subsystem  and  is  most  likely  to  fail  (least 
reliable),  “b”  is  .73  times  as  likely  to  fail  as  “c”  (more  reliable),  and  “d”  is  .44  times  as 
likely  to  fail  as  “c”  (most  reliable).  Set  up  the  following  table. 


Event 

Relative  complexity 

Complexity  index  =  i 

Reliability 

apportionment  =  (a)1 

c 

1.00*  2.17  = 

.460 

.99075* 

b 

.73 

.336 

.99324 

d 

.44 

.204 

.99589 

2.17 

1.000 

*c  =  (a)*  =  .98  *460 

.460  log  .98  =  .460  x  f.991226 

=  460  x  999.991 226-1000 
=  459.995964-460 

c  =  .99075 
b  =  .99324 
d  =  .99589 

Check:  a  =  b  .  c  .  d 

=  .99324  x  .99075  x  .99589  =  .98000 
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The  explanation  of  this  method  is  based  on  the  exponential  law  am  •  an  =  ain+n 
Thus. 

Ra  =  Rh  •  Re  •  Rd 
Ra  =  Raib  •  Raic  •  Rald 

Ra  =  Ra  336  •  Ra  460  •  Ra’204 
Ra  =  Ra  (  336  *  460  +  •204)  -  l.o 

Ra  =  Ra10 

It  is  helpful  to  remember  that  a  decimal  number  raised  to  a  decimal  power  becomes  a  larger 
decimal  number. 

Failure  Rates  Known  —  Series  System 

If  the  true  failure  rates  of  the  individual  subsystem  are  known,  then  the  true 
reliability  of  the  whole  system  can  be  determined. 

Rs  =  (1-F, )  (1-F2)  (1-F3) . (1-Fn) 

If  each  subsystem  has  the  same  failure  rate,  then  the  above  equation  becomes: 

Rs  =  (1-F  (1-F)  (1-F) . (1-Fn) 

Rs  =  (1-F)n 

Example:  The  failure  rate  for  3  subsystems  equals  .0067  (.67%)  each.  Find  system 
reliability 

Rs  =  (1-.0067)3  =  ,99333  =  .980 

If  each  subsystem  has  a  different  failure  rate,  then  apportionment  can  be  made  for  a 
given  system  reliability  if  a  relationship  is  known  between  the  failure  rates  of  the  subsystem. 

Example:  Given  a  system  reliability  =  .98  for  3  subsystems  in  series. 


“c”  has  the  highest  failure  rate 
“b”  =  .73  “c” 

“d”  =  .44  “c” 

Ra  =  (1-Fb)  (1-Fc)  (1-Fd)  =  .98 
Ra  =  (l-.73Fc)  (1-Fc)  (l-.44Fc)  =  .98 
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Use  1  rial  anil  Error  Method 

Let  Fc  =  .01  Ra  =  (l-.73x.01)  (1-.01)  (l-.44x.01) 

(,9927)(.99)  (  .9956)  =  .978449 

Let  Fc  =  .0093 

Ra  =  (l-.73x.0093)(l-.0093)(l-.44x0093) 

(.99321  1)  (.9907)  (.995908)  =  .979948  OK 

Care  must  be  exercised  when  using  the  Complexity  or  Relative  Likelihood  Apportionment 
Method  that  it  is  not  used  directly  with  reliability  values  but  only  with  failure  rates. 

Example:  Given  a  system  reliability  =  .98  for  3  subsystems  in  series. 


d  has  the  highest  reliability 
b  is  73%  as  reliable  as  d 
c  is  44%  as  reliable  as  d 

Ra  =  Rb  x  Rc  x  Rd  =  .98 

=  .73  Rd  x  .44  Rd  x  Rd  =  .98 
=  .321  Rd3  =  .98 

Rd3  =  -||j  =  3.05 

Rd  =  3.05  =  1.45 

Rb  =  .73  x1 .45  =  1 .06 
Rc  =  .44  x  1.45  =  .637 

Check:  1.06  x  .637  x  1 .45  =  .98 

Note  that,  according  to  this  calculation,  subsystem  d  has  a  reliability  of  145%  and 
b  has  a  reliability  of  106%.  Obviously,  this  is  wrong  since  no  subsystem  can  have  a 
reliability  greater  than  100%. 

Safety  Apportionment  Through  an  AND  Gate 

The  apportionment  methods,  just  reviewed,  dealt  with  system  reliability  with 
subsystems  in  series.  Here  system  reliability  was  the  product  of  the  subsystem. 
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In  dealing  with  fault  trees  the  product  of  probabilities  is  found  in  a  system  where 
the  subsystems  are  in  a  parallel  circuit.  De  Morgan’s  law,  as  explained  on  page  41 
describes  this  situation. 

For  purposes  of  illustration,  assume  a  system  with  three  (3)  subsystems  in  parallel. 
The  system  and  the  corresponding  fault  tree  would  be: 

BLOCK  DIAGRAM  FAULT  TREE 


Reliability,  Ra  =  1  -  (Fb)  (Fc)  (Fd)  where  F  =  failure  rate 
System  Failure  Rate,  a'  =  (b')  (c')  (d') 

Since  fault  trees  are  concerned  with  the  probabilities  of  events  and  malfunctions  of 
subsystems  which  contribute  to  an  unwanted  end  event,  the  combination  of  these  prob¬ 
abilities  when  going  through  an  AND  gate  is  the  same  as  the  probabilities  of  success  in  a 
series  system.  Therefore,  the  apportionment  of  probabilities  through  an  AND  gate  is 
dependent  on  the  product  of  the  probabilities. 

In  general,  two  basic  situations  are  encountered: 

(1)  All  events  are  equally  likely  to  happen,  or  in  other  words,  all  have  equal 
complexity. 

(2)  All  events  have  unequal  complexity  so  that  one  subsystem  is  more  likely 
to  fail  than  another. 

In  the  first  situation  of  equal  complexity,  the  safety  apportionment  of  the  subsystems 
in  the  nth  root  of  the  system  safety  goal  where  n  is  the  number  of  subsystems. 

Example:  Safety  requirements  equal  to  or  less  than  1  premature  in  3,000,000  shots  in  a 
parallel  system  consisting  of  3  equal  subsystems.  See  Figure  7. 
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Boolean  Expression 


a'  =  b*  .  c '  .  d' 
b'=  c'  =  d'  =  (a’ ) ^ 

This  means  that  b’  and  c'  and  d'  must  have  a  failure  rate  or  probability  of  occurrence  equal 
to  or  less  than  1  in  145  if  the  safety  requirement  of  not  more  than  1  premature  in 
3,000,000  shots  for  the  system  is  to  be  met. 

In  the  second  situation  of  unequal  complexity  the  safety  apportionment  of  the  sub¬ 
systems  is  obtained  by  proportioning  the  end  item  safety  requirement  as  the  power  of  the 
relative  likelihood  index  of  occurrence  in  the  subsystems. 

Example:  Safety  requirement  equal  to  or  less  than  I  premature  in  3,000,000  shots  in  a 
parallel  system  consisting  of  3  subsystems  where  relative  likelihood  is  c' =  1.00,  b'  =  .73, 
d'  =  .44. 


3,000,000 


=  .0000003333 


\l/3 


3,000,000 


144.225 


Calculations  follow  on  next  page 


BLOCK  DIAGRAM 


FAULT  TREE 


Fig  7  Parallel  system  -  apportionment  through 
an  AND  gate 
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Safety  Apportionment  Through  an  AND  Gate 

Safety  Requirement^.  1  premature  in  3,000,000  shots 

a’  -  b'  •  c'  •  d'  -  3mH5B  -  0000003333 


Event 


c 


b' 

d' 


Relative  likelihood* 


1 .00  -=-2.17  = 


.73 

.44 

2.17 


Likelihood  index  =  i  Safety  apportionment  *  (a')1 


.460 

001048  = 

1 

954.2 

.336 

.006663  = 

1 

150.1 

.204 

.047715  = 

1 

20.% 

.000 

.000000333 

1 

3,000,000 

c'=  (a 7  =  .0000003333  460 

=  .460  Log  0000003333  =  .460  x  7.522835 

=  .460  x  (993.522835  -1,000) 
=  457.02050410  -460 


c'=  .001048 

b  =  (a'V  =  (a')'  =  (0000003333)336  =  006663 
d  =  (a’)'  =  (.0000003333). 204  =  .047715 


Check 


a'  =  b'  .  c'  .  d'  =  .006663  x  .001048  x  .047715  =  .0000003332 


*  Determined  from  prior  knowledge 

Safety  Apportionment  Through  an  OR  Gate 

Events  and  malfunctions  of  subsystems  which  pass  through  an  OR  gate  for  the 
end  event  to  occur  is  derived  from  a  series  system.  The  system  and  the  corresponding  fault 
tree  would  be: 
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FAULT  TREE 


Input 


Ra  =  Rb  x  Rc  x  Rd 

Expressed  in  terms  of  failure  rate  this  formula  becomes: 

Ra  =  ( 1  — Fb)  ( 1  — Fc)  ( 1  — Fd) 

Expanded,  Ra  =  (1—  Fb— Fc— Fd+Fbc+Fcd+Fbd— Fbcd) 


The  Boolean  expression  for  this  fault  tree  is: 
a’  =  b’  +  c*  +  d’ 

A  relationship  exists  between  the  Boolean  expression  and  the  expanded  reliability 
formula  if  the  second  order  and  higher  power  values  are  dropped.  The  reliability  formula 
then  becomes: 


Ra  =  (1— Fb— Fc— Fd) 

Ra  =  1— (Fb+Fc+Fd) 

The  parenthesis  (Fb+Fc+Fd)  is  the  summation  of  the  failure  rates  of  the  subsystems  b, 
c,d  and  corresponds  numerically  to  the  Boolean  expression  b'  +  c'  +  d'.  As  discussed  on 
page  13,  this  approximation  is  satisfactory  when  used  with  safety  fault  trees  since  it  is 
on  the  pessimistic  side.  When  used  for  reliability  fault  trees,  this  approximation  will  yield 
results  which  are  less  than  the  true  reliability. 

To  make  a  safety  apportionment  for  subsystems  passing  through  an  OR  gate  the 
following  method  can  be  used  provided  a  relationship  is  known  or  assumed  about  the  sub¬ 
systems. 

Again,  two  basic  situations  are  encountered. 

(1)  All  events  are  equally  likely  to  happen,  or  in  other  words,  all  have  equal 
complexity. 

(2)  All  events  have  unequal  complexity  so  than  one  subsystem  is  more  likely  to 
fail  than  another. 
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In  the  first  situation  of  equal  eomplexity,  the  safety  apportionment  of  the  sub¬ 
systems  is  an  equal  division  of  the  end-item  safety  requirement  or  goal. 

Example:  Safety  requirement  equal  to  or  less  than  I  premature  in  3.000.000  shots. 
See  Figure  X 


a'  =  b'  +  c  +  d  — - . — 

3,000,000 


.0000003333 


b'  =  c'  =  d'  =  .0000003333 

3 


0000001 1 1 1 


1 

9,000,000 


This  means  that  b'or  c'or  d'  must  not  have  more  than  1  premature  in  9,000,000  shots 
if  the  safety  requirement  of  not  more  than  1  premature  in  3,000,000  shots  for  the  system 
is  to  be  met. 


In  the  second  situation  of  unequal  complexity,  the  safety  apportionment  of  the  sub¬ 
systems  is  obtained  by  multiplying  the  end  item  safety  goal  by  the  relative  likelihood  index 
of  the  subsystems. 

Example:  Safety  requirement  equal  to  or  less  than  1  premature  in  3,000,000  shots  in  a 
series  system  consisting  of  3  subsystems.  Relative  likelihood  c'  =  1.000, 
b'  =  .73,  d'  =  .44. 

b'  =  .73  c'  ,  d'  =  .44  c' 


Calculations  follow  on  next  page 


BLOCK  DIAGRAM 


Fig  8  Series  system  apportionment  through  an  OR  gate 
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Apportionment  Through  an  OR  Gate 


Safety  Requirement  <  1  premature  in  3,000,000  shots 


a h'  +  r'  +  d'  =  1 

=  .0000003333 

b  d  3,000,000 

Event 

Relative  likelihood* 

Likelihood  index  =  i 

Safety  apportionment  -  ia' 

> 

1.000  2.17 

.460 

.0000001533  = 

1 

6,523,157 

b' 

.73 

.336 

.000000112  = 

1 

8,928,571 

d' 

.44 

.204 

.000000068  = 

1 

14,705,882 

2.17 

1.000 

.0000003333 

1 

3,000,000 


*  Determined  from  prior  knowledge 
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Safety  Apportionment  —  All  OR  Gate  Events  Equally  Likely 


For  a  system  which  has  a  combination  series  parallel  circuit  this  method  of 
safety  apportionment  assumes  the  situation  that  all  events  coming  out  of  an  OR  gate 
are  equally  likely  to  occur.  Any  subsequent  events  out  of  an  AND  gate  can  be  divided 
equally  in  probability,  or  they  can  be  divided  unequally  if  some  relationship  between  them 
is  known. 


FAULT  TREE 


a'  =  b’  +  c '  +  (2) 

A  =  B  +  C  +  DE 

Fig  9  All  OR  gate  events  equally  likely 
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All  OR  gate  events  equally  likely  (b',  c' ,  (2) 


a'  =  b  +  c-  +  (2)  =  -3TO^0 


If  b'  =  c 

=  (2) 

Then  a'  = 

=  b'  +  b'  +  b'  -  3b'  -  1  - 

3,000,000 

b'  = 

1  _  1 

3X3,000,000  9,000,000 

Check: 

a'  = 

1  ...  +  _ I  +  ...  1  ... 

9,000,000  9,000,000  9,000,000 

3  _  1 

9,000,000  3,000,000 

(2)  = 

d  e  9,000,000 

If  d'  =  e'  (equally  likely) 


Then  D2 

9,000,000 

D  = 

1  1  U/2 

1  9,000,000  ) 

D  = 

3000  000333 

Summary: 

Allowed  Probabilities 

A  =  .0000003333 
B  =  .0000001 1 1  1 
C  =  .0000001 1 1 1 
D  =  .000333 
E  =  .000333 
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If  e'  =  ,45d'  (unequal  likelihood) 

Then  (2)  =  d’  .e'  =  d'  (45d')  =  .45(d')2 


D  = 


1 


.45X9,000,000 


1/2 


1 


4,O50,O0O 


1/2= 


2012 


.0004970 


E  *  -4S  *  -KJT2  -  4471  -  00022366 


Summary:  Allowed  Probabilities 
A  =  .0000003333 
B  =  .0000001 1 1 1 
C  =  .0000001111 
D  =  .0004970 
E  =  .00022366 


Safety  Apportionment  -  All  Failure  Modes  Equally  Likely 

In  a  series  parallel  circuit,  refer  to  Figure  9,  a  situation  can  be  assumed  where 
all  failure  modes  are  equally  likely  to  occur.  The  probabilities  of  B,C,D,  and  E  are  all  equal. 


$ 

a 


B  +  C  +  DE  = 


1 

3,000,000 


By  trial  and  error,  each  failure  mode  =  .0000001666 
Check: 

a'  =  .0000001666  +  .00000016666  +  .0000001 6662 
=  .0000003332  +  .00000000000002775556 
=  .0000003332000277 
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Summary:  Allowed  Probabilities 


A  =  .0000003333 
B  =  .0000001666 
C  =  .0000001666 
D  =  .0000001666 
E  =  .0000001666 


Life  Cycle  Sets  of  Fault  Trees 

When  conducting  a  safety  failure  analysis,  to  do  a  thorough  job,  it  will  be 
necessary  to  construct  fault  trees  for  every  situation  from  the  time  the  explosive  elements 
are  assembled  into  the  item  at  the  contractor’s  plant  until  the  missile  has  had  a  safe 
separation  from  the  launcher. 


A  typical  example  of  a  life  cycle  set  of  fault  trees  can  be  shown  using  a  guided 
missile  for  an  illustration. 


Table  3 

Complete  set  of  safety  fault  trees 


Number 

Configuration 

Rotor  pre-arms 

Detonator  fires 

1 

S&A  Device 

Fxplosivcs  loaded  by  mfgr. 

a 

j 

2 

S&A  (loaded) 

Shipped  to  warhead  plant 

b 

k 

3 

S&A/Whd 

S&A  assembled  to  warhead 

c 

1 

4 

Fuze/Whd 

Whd.  Sect,  shipped  to  missile 
plant 

d 

m 

5 

Fuze/Whd/Msl 

Whd.  Sect,  assembled  to  missile 

e 

n 

6 

Fuze/Whd/Msl 

Missile  shipped  to  depot  or  field 

f 

0 

7 

Fuze/Whd/Msl 

Missile  fired  in  launcher 

g 

P 

8 

Fuze/Whd/Msl 

Missile  safely  separated  from 
launcher 

h 

q 

S&A 

Whd 

Msl 


Safety  &  Arming  Device 

Warhead 

Missile 
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At  first  glance,  it  might  seem  a  formidable  job  to  construct  eight  fault  trees,  but 
actually  it  will  not  be  that  difficult  because  the  hexagonal  repeat  symbols  can  be  used 
from  one  tree  to  another.  Just  be  sure  that  the  Z’s  have  the  proper  subscript  for  easy 
identification  from  tree  to  tree.  It  is  important  that  a  fault  tree  be  constructed  for  each 
situation. 

Gross  Life  Cycle  Probabilities 

Having  constructed  the  complete  set  of  safety  fault  trees  listed  in  Table  3  the  next 
logical  question  that  can  be  asked  is,  “what  is  the  probability  of  having  a  safety  and 
arming  device  (or  fuze)  functioning  prematurely  from  the  time  it  is  made  until  it  safety 
separates  from  the  launcher?”  The  answer  to  this  question  would  give  the  gross  life  cycle 
probability  of  a  hazardous  premature. 

Before  deriving  a  solution  to  this  problem  look  at  the  practical  aspects  of  the  operation 
of  a  fuze. 

Most  fuzes  have  a  rotor  or  a  slider  whose  explosive  element  must  move  into  line  with 
other  explosive  elements  for  proper  propagation, and  a  detonator  which  must  be  initiated 
to  start  the  propagation  If  the  rotor  prematurely  goes  into  line  (arms)  but  the  detonator 
does  not  fire, the  fuze  will  not  prematurely  function.  On  the  other  hand,  if  the  detonator 
fires  prematurely  when  the  rotor  is  not  in  line  the  fuze  will  not  premature.  In  the  latter 
case,  only  a  dud  will  result  and  the  fuze  will  no  longer  be  hazardous. 

Notice  in  Table  3  that  two  colums  identify  the  condition  of  the  rotor  and  the  detonator 
in  each  of  the  eight  situations.  For  example,  the  rotor  could  go  into  the  armed  position 
when  the  loaded  item  is  being  shipped  to  the  warhead  plant  for  assembly  (identified  as  b). 
The  fuze  would  premature  if  the  detonator  fired  during  shipment  (k)  or  at  any  subsequent 
time,  e.g.,  when  the  missile  was  triggered  in  the  missile  (p). 

In  statistical  language,  two  events  are  called  mutually  exclusive  if  the  occurrence  of 
one  excludes  the  occurrence  of  the  other.  The  classic  example  is  the  drawing  of  an  ace 
or  king  in  a  single  draw.  Since  both  ace  and  king  cannot  be  drawn  in  a  single  draw  the 
events  are  mutually  exclusive.  In  this  case,  the  rotor  pre-arming  and  the  detonator  firing 
events  are  not  mutually  exclusive  since  the  occurrence  of  one  does  not  exclude  the 
occurrence  of  the  other.  These  two  events  are  independent  events  because  the  occurrence 
or  non-occurrence  of  one  does  not  affect  the  probability  of  occurrence  of  the  other.  Also, 
there  is  a  situation  of  conditional  probability  since  a  fuze  premature  can  only  happen  if 
the  detonator  fires  at  the  same  time  or  after  the  rotor  pre-arms,  not  before  the  rotor 
pre-arms. 
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The  answer  to  the  question  posed  at  the  start  of  this  section  for  the  gross  life  cycle 
probability  of  a  fuze  premature  can  be  expressed  in  a  practical  and  simplified  formula  as 
follows: 


+ 

al 

+ 

am 

+ 

an 

+ 

ao 

+ 

ap 

+ 

aq 

+ 

bl 

+ 

bm 

+ 

bn 

+ 

bo 

+ 

bp 

+ 

bq 

+ 

cl 

+ 

cm 

+ 

cn 

+ 

CO 

+ 

cp 

+ 

cq 

+ 

dm 

+ 

dn 

+ 

do 

+ 

dp 

+ 

dq 

+ 

en 

+ 

eo 

+ 

ep 

+ 

eq 

+ 

fo 

+ 

fp 

+ 

fq 

+ 

gP 

+ 

gq 

+ 

hq 

Caution  in  Using  Repeat  Events 

When  the  probability  values  of  the  rotor  pre-arming  and  the  detonator  firing  events 
are  considered  separately  to  determine  the  gross  life  cycle  probability  caution  must  be  used 
in  not  combining  repeat  events. 

For  example,  suppose  that  a  fuze  has  both  an  electrical  detonator  and  a  mechanical 
graze  feature.  The  latter  causes  a  firing  pin  to  stab  a  primer  when  the  projectile  or  missile 
strikes  or  glances  off  an  obstacle.  However,  the  firing  pin  cannot  function  unless  the  rotor 
has  gone  into  the  armed  position.  In  the  safe  position,  the  rotor  mechanically  locks  the  firing 
pin  and  prevents  it  from  moving.  In  many  cases,  the  branches  under  the  rotor  pre-arms  are 
identified  by  the  repeat  symbol. 

This  same  repeat  symbol  could  appear  in  the  other  branch  of  the  fault  tree  under  the 
event,  “Detonator  fired  mechanically.” 

A  simplified  fault  tree  will  show  this: 
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B  =  Z, 

C  =  D  =  (2)  =  Z,  •  E 

A  =  (1)  =  B.C 

=  Z, .  (Z, .  E)  =  Z,.Z,  .  E 

But  Z,  .  Z,  =  Z,  by  Code  IX 


Therefore,  the  probability  for  Zj  must  not  be  used  in  the  Detonator  branch  when 
calculating  the  probability  value  for  a  fuze  premature.  Event  A  then  becomes  A  =  Z( .  E 
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RELIABILITY  FAULT  TREES 


The  discussion  of  fault  trees  so  far  has  been  directed  at  assessing  the  safety  of  a  muni¬ 
tions  item.  It  has  been  found  advantageous  to  employ  the  same  fault  tree  techniques  in 
the  analysis  of  reliability. 

It  has  become  a  common  practice  in  assessing  reliability  to  make  a  block  diagram  of 
specific  successful  events  leading  to  a  specific  reliable  end  event.  Certainly,  there  is  nothing 
wrong  with  this  way  of  determining  reliability.  Generally,  however,  block  diagrams  do  not 
show  enough  detail  of  the  unreliability  of  the  various  components  which  make  up  the  com¬ 
plete  assembly.  The  construction  of  a  reliability  fault  tree  investigates  the  unreliability  of 
each  important  component.  For  this  reason,  the  construction  of  a  fault  tree  is  a  very 
valuable  analytical  tool  for  investigating  reliability. 

Relation  Between  Successful  Events  and  Fault  Trees 

To  show  the  relation  between  the  sequence  of  successful  events  and  a  fault  tree 
analysis,  consider  a  simple  flashlight  consisting  of  a  bulb,  a  battery,  and  a  switch.  The 
sequence  of  successful  events  would  be 

d  =  switch  closed 

c  =  battery  activated 

b  =  bulb  filament  heated 

a  =  light  beam  produced 

The  flashlight  is  a  series  circuit  and  if  any  of  the  components  fail  to  function  properly, 
event  “a”  will  not  occur,  that  is,  the  flashlight  will  not  light. 

The  fault  tree  analysis  would  be: 

a’  =  light  beam  not  produced 
b’  =  bulb  filament  broken  or  burned  out 
c'  =  battery  dead 

d'  =  switch  defective 


The  above  situations  can  be  diagrammed  thus: 

Block  Diagram  (Successful  Events) 
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Tree  Analysis 


Success 


Failure 


Boolean  Algebra  a  =  b  .  c  .  d 


a'  =  b'  +  c '  +  d' 


Assume  that  to  improve  the  reliability  of  the  switch  a  second  switch  was  added  in 
parallel  with  the  first  one,  then  the  following  comparison  could  be  made: 


Block  Diagram  (Successful  Events) 
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Tree  Analysis 


Success 


Failure 


Boolean  Algebra  a  =  b.c.(d+e) 


a*  =  b'  +  c'  +  (d'.e») 


A  study  of  these  diagrams  will  show  that  AND  gates  for  successes  becomes  OR  gates 
for  failures,  and  OR  gates  for  successes  become  AND  gates  for  failures.  In  Boolean  Algebra 
this  can  be  expressed  as 

(a.b.c....n)’  =  a  +  b'  +  c'....+n' 

(a  +  b  +  c....+n)'  =  a'  .b'  .c' . n' 

These  two  unique  laws  can  be  applied  only  to  Boolean  Algebra  and  are  known  as 
DeMorgan’s  laws. 
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FAULT  TREE  ANALYSIS  FOR  SAFETY  AND  ARMING 
DEVICE,  XM813 


The  Safety  and  Arming  (S&A)  Device,  XM813,  was  selected  as  an  example 
because  it  is  a  relatively  simple  mechanism.  To  generalize  the  following  systematic  safety 
failure  analysis  procedures,  the  XM813  performance  characteristics  for  arming  times, 
arming  distances  and  g  levels  will  be  indicated  by  letter  symbols  instead  of  numbers.  The 
letter  symbols  to  be  used  are: 

t  seconds  =  minimum  arming  time 
T  seconds  =  maximum  arming  time 
d  feet  =  minimum  arming  distance 
D  feet  =  maximum  arming  distance 
N  g’s  =  maximum  acceleration  for  non-arm  condition 
X  g’s  =  minimum  constant  acceleration  to  arm 
Y  g’s  =  peak  acceleration  experienced 

Description  of  XM813  S&A  Device 

The  XM813  S&A  device,  Figure  10,  is  an  hermetically  sealed  unit  which  contains  a 
mechanical  acceleration  sensing  mechanism.  The  explosive  train  consists  of  an  electrically 
initiated  detonator  in  an  unbalanced  rotor  and  a  lead  fixed  in  the  base  of  the  housing.  The 
rotor  has  a  cantilever  switch  which  shorts  the  detonator  in  the  unarmed  position  and  com¬ 
pletes  the  electrical  circuit  to  the  detonator  when  in  the  armed  position.  A  clock  mecha¬ 
nism  controls  the  rotation  of  the  rotor.  One  brass  bias  weight  which  unlocks  the  rotor  at 
setback  is  restrained  by  two  helical  compression  springs  mounted  on  the  bias  weight  guide 
posts.  The  bias  weight  has  a  decal  with  the  letters  “S”  and  “A”  that  can  be  viewed  through 
a  port  in  the  housing  to  determine  visually  whether  the  unit  is  in  the  armed  or  un-armed 
position.  Flectrical  power  is  supplied  by  an  on-board  missile  battery.  When  the  double 
ogive  of  the  missile  is  crushed  at  impact,  the  electrical  circuit  is  completed  through  the 
S&A  wire  harness.  (See  Fig  11.) 

Sequence  of  Successful  Events 

The  gunner  triggers  the  launch  operation.  The  thermal  battery,  which  supplies 
electrical  energy  for  the  S&A  device,  is  activated. 

At  launch,  the  missile  is  subjected  for  a  short  time  to  a  high  acceleration  of  Y  g’s. 

The  resulting  force  causes  the  bias  weight  to  overcome  the  spring  force. 
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Fig  10  XM81 3  S& A  device  mounting  plate  assembly 


! 


OGIVE  CRUSH 


DETONATOR 


DETONATOR 

SHORTED 


UNBALANCED 

ROTOR 


SAFE  POSITION 


OGIVE  CRUSH 
SWITCH  CLOSED 


DETONATOR 

UNSHORTED 


ROTOR  IN-LINE 


ARMED  POSITION 


Fig  11  XM81 3  Schematic 
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When  setback  moves  the  bias  weight,  the  rotor  is  unlocked  and  the  arming  cycle 
starts.  The  annular  gear  on  the  unbalanced  rotor  engages  the  runaway  escapement  of  the 
arming  mechanism. 

After  launch,  the  missile  is  subjected  to  a  uniform  acceleration  of  X  g’s.  During  the 
application  of  this  uniform  acceleration  force  the  arming  mechanism  controls  the  arming 
time.  The  arming  time  controls  the  arming  distance  which  must  fall  between  d  and  D 
feet. 


If  at  any  time  during  the  arming  cycle  the  acceleration  falls  below  N  g’s  the 
S&A  mechanism  will  recycle  to  the  safe  position. 

Just  before  the  rotor  reaches  the  fully  armed  position  the  electrical  cantilever  switch 
unshorts  the  detonator  and  then  makes  contact  with  another  terminal  in  the  firing  circuit. 
When  the  rotor  reaches  the  fully  armed  position,  the  detent  locks  the  rotor  in  position. 
When  this  happens  the  rotor  cannot  return  to  the  safe  position. 

On  impact  the  outer  ogive  contacts  the  inner  ogive  of  the  crush  switch  completing 
the  electrical  circuit.  The  electrical  detonator  is  initiated,  the  detonator  initiates  the  lead, 
the  lead  initiates  the  warhead  booster  and  the  booster  initiates  the  HE  warhead. 

Block  diagram  of  successful  operation 
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Cantilever  switch  unshorts  detonator 


i  1 

Cantilever  switch  contacts  firing  circuit  terminal 

1 


Arming  cycle  complete 


c 

Ld 


Detent  locks  rotor  in  armed  position 


Detent  lock  spring  locks  detent  in  rotor 


Flight  to  target 


Impact  crushes  ogive 


Electrical  circuit  complete 


Detonator  initiated 


Lead  initiated 


Booster  initiated 


HE  warhead  initiated 

~::r  .■+ 


Target  destroyed 
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Safety  Requirements 

1 .  The  XM8 1 3  S&A  device  must  withstand  various  combinations  of  storage,  trans¬ 
portation,  rough  handling,  and  flight  environments  and  remain  safe  and  operable. 

2.  The  S&A  must  not  arm  when  subjected  to  a  sustained  (5  second)  force  caused  by 
N  g’s  or  less. 

3.  The  S&A  must  remain  unarmed  during  the  first  d  feet  of  flight. 

4.  The  detonator  must  be  shielded  from  stray  RF  energy. 

5.  The  detonator  must  be  shorted  in  the  unarmed  position. 

6.  The  unit  must  be  hand  safe.  If  the  detonator  is  initiated  while  the  unit  is  unarmed, 
the  housing  must  completely  contain  the  detonation  and  the  lead  must  not  be  initiated. 

XM813  Safety  Fault  Tree  Analysis 

Two  safety  fault  trees  are  shown  for  the  XM813  S&A  device. 

a.  Figure  12  shows  the  fault  tree  for  a  missile  warhead  which  prematurely  detonates 
in  the  gun  tube. 

b.  Figure  14  shows  the  fault  tree  for  a  missile  warhead  which  functions  high  order 
after  it  leaves  the  gun  tube  but  less  than  the  safe  arming  distance  of  d  feet. 

The  Boolean  Algebra  solution  for  premature  in  gun  tube  (Fig  12)  follows: 

XM813  Fuze  Prearmed 

Start  at  Gate  (7) 


(7)  = 

I  .  K 

(6)  = 

I  .  J 

(5)  = 

(6)  +  (7) 

= 

I.J  +  I.K 

(4)  = 

G  +  H 

(3)  = 

D  +  E  +  F 

= 

D  +  (4)  +  (5) 

=  D  +  G  +  H  +  IJ  +  IK 
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XM813  FUZE  PREMATURES  WARHEAD 
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Fig  12  Safety  fault  tree 


C  =  (3)  (Mechanically  Armed) 

L  =  (8)  (Electrically  Armed) 

=  Y,  +  M 


B  =  (2)  =  C  .  L 


Y,  (Y,  +  M) 


Y,  .  Y,  +  Y,  .  M 


But  Y, .  Y.  =  Y.  Code  IX 


And  Y,  =  Y,  .  1  Code  VI 


Y,  .  1  +  Y,.M 


Yj  (1  +M) 
Y,  (1)  =  Y 


But  ( 1  +  M) 


Code  V 


B  =  (2)  =  Y,  =  D  +  G  +  H  +  IJ  +  IK 

This  means  that  any  of  the  combined  events  listed  under  Yj  would  be  enough  to  give  an 
armed  fuze  prematurely  (mechanically  and  electrically)  and  that  event  M  only  (switch 
fails  closed)  would  not  be  a  contributing  cause.  Because  of  the  construction,  a  rotor 
which  aligns  the  detonator  with  the  lead  would  electrically  arm  the  device. 


Detonator  Fires  Prematurely 


(11)  =  S  =  T  +  U  +  V 


(10)  =  R  .  S 


R  (T+  U  +  V) 


RT  +  RU  +  RV 


N  =  (9)  =  0  +  P  +  Q  +  (10) 

=  0+  P  +  Q+RT  +RU  +RV 
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Fuze  Prematures  Warhead  in  Gun  Tube 


A  = 

in 

— 

B 

N 

= 

(2)  (9) 

= 

(D  + 

G 

+  H 

+ 

u  + 

IK)  (0  + 

P  +  Q 

+  RT 

= 

DO 

+ 

DP 

+ 

DQ 

+ 

DRT  + 

DRU  + 

DRV 

+ 

GO 

+ 

GP 

+ 

GQ 

+ 

GRT  + 

GRU  + 

GRV 

+ 

HO 

+ 

HP 

+ 

HQ 

+ 

HRT  + 

HRU  + 

HRV 

+ 

IJO 

+ 

UP 

+ 

IJO 

+ 

1JRT  + 

IJRU  + 

IJRV 

+ 

IKO 

+ 

IKP 

+ 

IKO 

+ 

IKRT+ 

1KRU+ 

IKRV 

Safety  Apportionment  -  XM813  Fuze  Armed  and  Detonator  Fires  Prematurely  in 
Gun  Tube  (Fig  12) 

After  having  constructed  a  fault  tree  and  written  a  Boolean  Algebra  expression  for  a 
premature  in  the  gun  tube,  the  next  step  is  to  quantify  the  expression.  Since  very  little 
prior  knowledge  is  available  for  the  subject  fuze,  safety  apportionment  will  be  done  as 
described  on  page  2 1 . 

Engineering  Judgment 


Allowed  Failures  per  Million 


D 

Rotor  lock  failed 

.000006 

(6/M) 

G 

Springs  failed 

.000004 

(4/M) 

H 

Springs  weak 

.000005 

(5/M) 

I 

X  g  shock 

.1 

(100,000/M) 

J 

t  seconds  duration 

.001 

(1,000/M) 

K 

Bias  weight  stuck 

.00005 

50/M) 

0 

Static  initiation 

.0000001 

(-1/M) 

P 

Shock  initiation 

.00002 

(20/M) 

Q 

Thermal  initiation 

.0000003 

(.3/M) 

R 

Missile  battery  activated 

1.0 

(M/M) 

T 

Ogive  switch  crushed  or  dented 

.001 

(1,000/M) 

U 

Short  circuit  in  wiring  harness 

.0003 

(300/M) 

V 

Foreign  conductor  between  inner 

.00007 

(70/M) 

and  outer  ogive 
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A  =  B  .  N 

A  =  (D+  G  +  H  +  1J  +  IK)  (0+  P  +  Q  +  RT  +  RU  +  RV) 

=  (  000006  +  .000004  +  .000005  +  .lx. 001  +  .lx. 00005)  (.0000001  +  .00002  +  .0000003  + 
lx.001  +  lx. 0003  +  lx. 00007) 

=  (.000006  +  .000004  +  000005  +  .0001  +  .000005)  (.0000001  +  .00002  +  .0000003  + 

.001  +  .003  +  .00007) 

=  .0001  20  X  .0013904  B=  1  20/M  and  N  =  1390/M 

=  1/8333  X1/719 

=  .0000001 6685  =  1  /5.993.260  (Probability  of  a  premature  functioning  in  the  gun  tube  based  on 
engineering  judgment). 

All  Failure  Modes  Equally  Likely 

Assume  safety  requirement  =  1  premature  in  3,000,000  shots 
A  =  1/3,000,000 

A  B  .  N 

A  =  (D+  G  +  H  +  IJ  +  IK)  (0+  P  +  Q  +  RT  +  RU  +  RV) 

here  R  =  1 .0  (normally  expected) 

Let  X  =  each  failure  mode 

A  =  (X+  X  +  X  +  X2  +  X2)  (X  +  X  +  X  +  X  +  X  +  X) 

=  (3X  +  2X2)(6X)  =  12X3  +  18X2  =  1/3.000,000  =  .0000003333 

By  trial  and  error  X  =  .000136  =  1/7353 
Check: 


D  = 

=  .000136 

(136/M) 

G  = 

=  .000136 

(136/M) 

H  = 

=  .000136 

(136/M) 

1J  =  .000136  x  .000136  = 

.00000001 8496 

(.01 8/M) 

1K=  .0001 36  x  .000136  = 

00000001 8496 

(.01 8/M) 

.000408036992  =  B  = 

1/2450 

(408/M) 

0,P,Q,T,U,V  =  6  x  .000136 

•  =  .000816  =  N  = 

1/1225 

(816/M) 

A  =  B  .  N 

A  =  .000408  x  .000816  =  .000000332928  vs  .0000003333 
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Both  Branches  and  Modes  within  Branches,  Equally  Likely 

Assume  safety  requirement  =  1  premature  in  3,000,000  shots 

A  =  B  .  N  =  1/1732  x  1/1732  =  1/2,999,824 

A  =  (D+  G  +  H  +  IJ  +  IK)  (O  +  P  +  Q  +  RT  +  RU  +  RV) 

here  R  =  1 .0  (normally  expected) 

B  =  (D+  G  +  H  +  IJ  +  IK)  =  1/1732  =  .0005773  (577/M) 

Let  X  =  each  failure  mode 
B  =  (X+  X  +  X  +  X2+  X2)=  .0005773 
=  3X  +  2X2  =  .0005773 
By  trial  and  error  X  =  .0001924 

N  =  (0+  P  +  Q  +  RT  +  RU  +  RV)=  1/1732  =  .0005773 


Let  Y  =  each  failure  mode 

N=(Y+Y+Y+Y  +  Y+Y)=  .0005773  (577/M) 

=  6Y  =  .0005773 

Y  =  .0000962  (96 /M) 

Check: 

D  =  .00019240  (192/M) 

G  =  .00019240  (192/M) 

H  =  .00019240  (192/M) 

IJ  =  .0001924  x  .0001924  =  .000000037  (  037/M) 

IK=  .0001924  x  .0001924  =  .000000037  (,037/M) 


.000577272 

0,P,Q,T,U,V  =  6  x  .0000962  =  .0005772 

A  =  B  .  N  =  .000577  x  .000577  =  .000000332929  vs  .0000003333 

Sensitivity  Rating  (Fig  13) 

A  =  B  .  N 

A  =  (D+  G  +  H  +  IJ  +  IK)  (O  +  P  +  Q  +  RT  +  RU  +  RV) 
Set  all  probabilities  at  .1  except  R  =  1 .0  (normally  expected) 
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A  =  (.1  +  1 

+  .1  +  01 

+ 

.01  )  (. 

i  +  i  +  i  +  .i 

+  .1  +  .1) 

=  (  32) (.(')  = 

‘  .192 

Set  each  event  at  .5  -  one  at  a  time 

Probability  of  output  fault 

D  or  G  or  H  = 

(.5  +  .1  + 

.1 

+  .01 

+  .01)  (.6) 

.432 

i  = 

(.1  +  .1  + 

.1 

+  .05 

+  .05)  (.6) 

.240 

J  or  K  = 

(.1  +  .1  + 

.1 

+  .05 

+  .01)  (.6) 

.216 

0,P,0,T,U,V  = 

(.32)  (.5  + 

.1 

+  .1  + 

.1  +  .1  +  .1)  = 

.320 

Event 

Sensitivity  Ratio 

Sensitivity  Rating 

D,G,H 

.43  2 -r  .192 

2.25 

0,P,Q,T,U,V 

.320 

1.67 

1 

.240 

1.25 

J,K 

.216 

1.12 

These  sensitivity  ratings  are  plotted  on  graph  paper  as  the  probability  of  output  fault 
versus  the  probability  of  input  fault.  The  plot  is  shown  on  Figure  13. 

The  above  sensitivity  rating  table  and  Figure  13  show  that  events  D,  G,and  H  have 
more  influence  on  the  output  fault  than  the  other  contributing  events  I,  J,and  K  in 
Branch  B  and  all  of  the  events  in  Branch  N. 

Apportionment  of  the  safety  goal  can  be  made  to  the  failure  modes  and  basic  events 
so  that  D,  G,and  H  will  not  influence  event  A  any  more  than  the  other  events.  This  is 
done  by  assigning  fewer  allowable  probabilities  of  occurrence  to  D,  G,and  H.  This  can 
be  accomplished  in  the  following  manner: 

Using  the  sensitivity  ratings,  write  the  Boolean  Algebra  equation  in  one  term  with  the 
highest  rating.  Let  D  be  the  term. 

Q,P,Q,T,U.V  _  2.25  _ 

D  1.67 

0  =  1.35D.P  =  1.35D.Q  =  1.35D,etc. 
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! 


Fig  13  XM813  Sensitivity  Ratio 
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I  2.25 

I)  125 


1.8 


1.81) 


J  K  i  is 

I)  =  |"p  =  20  *  J  =  201)’K  =  200 

A  =  B.N  =  (D+G+H+1J+1K)  (O+P+Q+RT+RU+RV)  = 

A  =  (D+D+D+l ,8D,  x  2.0D+  1.8Dx  2.0D)  (1.35D  +  1.35D  +  1.35D  +  1  xl.35D  + 
1  x  1.35D)  =  .0000003333 

(3D  +  7. 2D2)  (6  x  1.35D)  =  .0000003333 

24. 3D2  +  58.32D3  =  .0000003333 

By  trial  and  error 
D  =  .000117 

Check: 


Branch  B 

D  =  .000117 
G  =  .0001 17 
H  =  .000117 

IJ  =  1.8  x  .000117  x  2.0  x  .000117 
IK=  1.8  x  .000117  x  2.0  x  .000117 


Branch  N 


0 

= 

1.35 

X 

000117 

= 

.000158 

p 

= 

1.35 

X 

.000117 

= 

.000158 

Q 

= 

1.35 

X 

.000117 

= 

.000158 

RT 

= 

1  x  1 .35 

X 

.000117 

= 

.000158 

RU 

= 

1  x  1.35 

X 

.000117 

= 

.000158 

RV 

= 

1x1.35 

X 

.000117 

= 

.000158 

.000948 

A 

= 

B.N 

= 

,000351 

X 

.000948  =  .0000003327 

=  .000117 
=  .000117 
=  .000117 
=  .0000000493 
=  .0000000493 

0003510986 


1  x  1.35D  + 
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SUMMARY 


Branch  B 

1) 

(i 

H 

1 

J 

K 

Branch  N 

O 

P 

0 

T 

U 

V 

R 


000351 

=  .000 1  I  7 
=  .000117 
=  .000117 
=  .000210 
=  .000234 
=  .000234 

.000948 

=  .000158 
=  .000158 
=  .000158 
=  000158 
=  .000158 
=  .000158 
=  10 


351 /M 

117 

117 

117 

210 

234 

234 

948/M 

158 

158 

158 

158 

158 

158 

1 ,000 ,000 /M 


All  Major  Events  Equally  Likely  —  Some  Failure  Modes  Adjusted 
Assume  safety  requirement  =  1  premature  in  3,000,000  shots 
A  =  1/3,000,000 

A  =  B.  N  =  (D  +  E  +  F)(0+  P  +  Q  +  R.  S)=  .0000003333 

(refer  to  Fig  1 2) 

here  R  =  1 .0  (normally  expected) 

Let  X  =  each  major  event 
A  =  (X+  X  +  X)(X+  X  +  X  +  X) 

=  (3X)  (4X)  =  12X2  =  .0000003333 

X  =  |  0000003333\  1/2  =  (.0000000278)1/2  =  .0001666 

1  12  ) 

Branch  B  =  3X  =  3  x  .0001666  =  .0004998  (500/M) 

D  =  0001666 

E  =  G  +  H  =  .0001666  (167/M) 
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Assume  H  =  1.3  times  more  likely  to  happen  than  G 

E  =  G  +  I.3G  =  2.3  G  =  .0001666 

G  =  •00P1666_-=  0000725 

2.3 


H  =  E  -  G  =  .0001666  -  .0000725  =  .0000941 


Assume  1  twice  as  likely  to  happen  as  K  and  1  eight  times  as  likely  as  J. 

F  =  1J  +  IK  =  .0001666 

=  1  x  1_  +  1  x  \  =  .0001666 
8  2 


l2  +  412 


512  =  .0001666 


8  8  8 

I  =  (.0002665)' 12 
j  =  ,  _  .0163266 

-  o 

8 

.  .0163266 

K  -  I  -  - — 2 - 

2 


.0163266 


=  .0020408 


=  .0081633 


Branch  N  =  4X  =  4  x  .0001666  =  .000666  =  1/1500 

N=(0+P  +  Q+  R.  S)  =  .000666 
O  =  .0001666 
P  =  .0001666 
Q  =  0001666 

S  =  R  .  S  =  1  x  .001666  =  .0001666 

R  1 

S  =  T  +  U+V  =  .0001666 


(72/M) 

(94/M) 


(16327/M) 
(2,04 1/M) 

(8,163/M) 


(666/M) 

(167/M) 

(167/M) 

(167/M) 

(167/M) 


Event 

Rel.  likelihood 

Likelihood  index 

Safety  apportionment 

U 

1.000  *  2.166 

.461 

.0000768 

(77/M) 

T 

.666 

.308 

.0000513 

(51/M) 

V 

.500 

.231 

.0000385 

(39/M) 

2.166 

1.000 

.0001666 
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Branches  Unequal  and  Failure  Modes  Adjusted 
Assume  salcty  requirement  =  I  prcmalu re  in  3,000,000  shots. 

A  =  H  .  N  =  1 225  X  24  50  "  3,001,250 

A  =  (D  +  G  +  H  +  IJ  +  IK)  (O  +  P  +  Q  +  RT  +  RU  +  RV) 

here  R  =  1 .0  (normally  expected) 


Branch  B  =  — (816/M) 
1225 


Events,  descending 
order 

Relative  likelihood 

Likelihood  index  i 

Safety  apportionment  iB 

IK 

1.00  -r  3.20 

.3125 

.000255 

(255/M) 

D 

.80 

.2500 

.000204 

(204/M) 

H 

.65 

.2031 

.0001666 

(166/M) 

G 

50 

.1563 

.000128 

(128/M) 

IJ 

.25 

.0781 

000064 

(64 /M) 

3.20 

1.0000 

.00081 7 

Assume  1  twice  as  likely  to  happen  as  K 

IK  = 

2K  . 

K  = 

2K2  =  .000255 

K  = 

.000255 

2 

jl/2 

=  (.0001 275)1/2  = 

.0112916 

(11,292/M) 

1  = 

2K 

=  2  x  .0112916  = 

0225832 

(22,583/M) 

J  = 

IJ 

000064  -  .0028.13965 

(2,834/M) 

1 

.0225832 

Branch  N  = 

1 

2450 

(408/M) 

Events,  descending 

order 

Relative  likelihood 

Likelihood  index  i 

Safety  apportionment  iN 

u 

1 .000  -f  2.474 

.404 

0001649 

(165/M) 

T 

.666 

.269 

.0001098 

(1 10/M) 

V 

.500 

.202 

.0000824 

(82/M) 

P 

.260 

.105 

.0000429 

(43 /M) 

Q 

.036 

.015 

.0000061 

(6/M) 

0 

.012 

.005 

.0000020 

(2/M) 

2.474 

1.000 

.0004081 
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Table  4 

Failure  mode  safety  apportionment  allowed  failures/million 
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MSL  battery  activated  1,000,000  1,000,000  1,000,000  1,000,000  1,000,000  1,000,000 


Discussion  of  Safety  Apportionments 

In  the  following  discussion,  the  probability  values  assigned  to  the  failure  modes  by 
Engineering  Judgment  will  not  be  used  since  these  values  have  the  least  substantiation. 

In  the  other  five  categories  each  failure  mode  value  was  determined  on  the  basic 
assumption  that  the  minimum  safety  requirement  for  the  complete  fuze  was  one  ( 1) 
premature  in  three  million  (3,000,000)  shots. 

Observe  the  values  for  failure  mode  D  “Rotor  Lock  failed” 


For  all  failure  modes  equally  likely 

D  = 

136/M 

For  both  branches  and  modes  within  branches  equally  likely 

D  = 

192/M 

Sensitivity  rating 

D  = 

117/M 

For  all  major  events  equally  likely  and  failure  modes  adjusted 

D  = 

167/M 

For  branches  unequal  and  failure  modes  adjusted 

D  = 

204/M 

From  this,  it  can  be  seen  that  the  least  allowed  rotor  lock  failures  are  117  per  million  (c) 
and  the  most  allowed  failures  are  204  per  million  (e). 

To  be  ultra-conservative,  the  Safety  Engineer  can  select  each  of  the  least  allowed 
failures  from  the  five  situations  as  a  safety  goal  for  the  individual  events.  By  doing  this, 
the  S&A  Device  safety  can  be  recalculated  as  follows: 

Use  Least  Allowed  Failures 

A  =  B  .  N 

=  (D  +  G  +  H  +  IJ  +  IK)  (0+  P  +  Q  +  RT  +  RU  +  RV) 

here  R  -  1 .0  (normally  expected) 


B 


D  = 

= 

.0001 1 7 

G  = 

= 

.000072 

H  = 

= 

.000094 

IJ  = 

000136  x 

.000136 

= 

000000018 

IK  = 

.000136  x 

.000136 

= 

.00000001 8 

B 

.000283036 
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N 


O 

P 

0 

T 

U 

V 


=  .000002 
=  .000043 
=  .000006 
=  .000051 
=  .000077 
=  -000039 
N  =  .000218 


A  =  B  .  N 


A 

A 


,000283  x  .000218=  .000,000,06169 

.06169  x  iO  =  2 _  (approx) 

1,000,000  30  30,000,000 


This  calculation  shows  that  by  using  the  least  allowed  failures  for  each  event  this 
particular  system  safety  is  five  (5)  times  greater  than  the  required  safety  goal. 


By  using  all  of  the  maximum  allowed  failures  from  the  five  situations,  the  system 
safety  can  be  recalculated  to  show  the  poorest  performance 


Use  Maximum  Allowed  Failures 


D  = 

= 

.000204 

G 

= 

.000192 

H 

= 

.000192 

1J  = 

.022583  x  .002,834 

= 

.000064 

IK  = 

.022583  x  .001,292 

= 

.000255 

B 

at 

.000907 

O  = 

.000167 

= 

000167 

P 

.000167 

= 

.000167 

0  = 

.000167 

= 

.000167 

RT  = 

1  x  .000158 

= 

.0001 58 

RU  = 

1  x  .000165 

.000165 

RV  = 

1  x  .000158 

= 

.0001  58 

N 

— 

.000982 

A  =  B 

.  N 

A  =  .000907  x  .000982  =  000000890674 

= 

.89/M 

89  3 

 2.67 

1 ,000,000  "  3 

3,000,000 
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This  value  is  approximately  three  (3)  times  worse  than  the  safety  goal  of  1  in 
3,000,000. 

It  is  obvious  that  the  allowed  failure  mode  safety  apportionments  will  lie  somewhere 
between  the  least  allowed  and  the  maximum  allowed  failures  for  a  given  safety  goal. 

The  question  which  the  safety  engineer  must  answer  is:  “Can  the  apportioned 
values  be  held  within  the  limits?’’  If  they  can,  then  the  safety  requirements  should  be 
met.  If  it  is  likely  that  the  apportioned  values  cannot  be  met,  then  some  action  must 
be  taken  to  bring  the  failure  rates  of  the  critical  components  into  line.  Actions  which 
may  be  taken  could  be: 

a.  Redesign  of  the  components 

b.  Change  of  material 

c.  Better  inspection 

d.  Better  packaging 

e.  Redundant  circuits 

The  Boolean  algebra  solution  for  Figure  14  follows: 

XM813  Fuze  Prematures  Warhead  at  Unsafe  Distance 
S&A  Device  Armed  Prematurely 


c 

= 

© 

ll 

o 

+ 

G  + 

H 

+  IJ 

+  IK 

(From  Fig  1 2) 

D, 

[ 

=  (4)  - 

El 

+ 

Fi 

+ 

Gl 

+  Hi 

=  (2)  = 

C 

+  D, 

= 

C 

+  E, 

+  Fi 

+ 

G,  H, 

= 

D 

+  G 

+ 

H  + 

IJ  + 

IK  +  Ej  +  Fj  +  G|  + 

Detonator  Fires 

vi 

=  (7) 

= 

V 

Wl 

(6) 

= 

R 

Vl 
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R  (K 

l  + 

Wi) 

= 

RK, 

+ 

RW, 

Q. 

=  (5) 

- 

O  + 

T. 

+ 
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=  O  + 

Tl 

+ 

RK,  + 

RWj 
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Fig  14  Safety  fault  tree 


XM813  S&A  Device  Prematures  Warhead  at  Unsafe  Distance 


B, 

(i)  + 

G  + 

11  + 

u 

+  1K+  tij  +  F|  +  G,  +  11,) 

(0  + 

V 

RK, 

+ 

RW,  ) 

0.(D  + 

G  + 

H  + 

u 

+  1K+  E,  +  F,  +  G,  +  H,) 

■  (  ”  ) 

+RK1 .  (  ”  ) 

+RWj •  (  "  ) 

Any  of  the  above  combinations  of  events  would  cause  the  warhead  to  fire  high  order  in 
less  than  the  safe  arming  distance. 

To  illustrate  one  combination: 

Ej  R  .  Wj  =  Pallet  failed  and  missile  battery  activated  and  missile  struck  obstacle. 


XM813  Reliability  Fault  Tree  Analysis 

Having  considered  the  many  aspects  of  the  construction  and  analyses  of  the  Safety 
fault  trees  for  the  XM813  S&A  Device,  the  construction  of  a  Reliability  fault  tree  will 
now  be  undertaken.  Figure  15  shows  such  a  tree. 

The  XM813  S&A  Device  is  a  very  simple  mechanism  of  a  series  circuit  type  and 
there  are  no  redundant  circuits,  so  only  OR  gates  appear  on  the  fault  tree.  Also  notice 
that  there  are  no  conditional  gates.  Sequence  of  occurrence  is  of  no  consequence. 

The  quantification  of  this  fault  tree  would  yield  the  unreliability  of  the  device. 

The  probability  of  success  equals  one  minus  the  probability  of  failure  (unreliability) 
and  since  reliability  assessments  of  this  type  have  been  so  well  covered  in  many  other 
documents,  this  step  will  not  be  discussed  here. 

Analysis  of  Figure  15 

Start  at  Gate  2 

B  =  (2)  =C+D+E+F 
J  =  (5)  =  L  +  M  +  N 
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Fig  15  Reliability  fault  tree 


+  J  +  K 


H  =  (4)  = 

=  1  +  L+M+N+K 
0  =  ((>)  =  P  +  0 

c  =  (3)  =n+o 

=  1  +  K+  L+M+N+P  +  Q 
A  =  (1)  =  B  +  G 

=  C+  D+  E+  F+  I  +  K+  L+M+N+P  +  Q 

Note:  Any  one  of  the  above  modes  could  cause  the  XM813  S&A  Device  not  to  function  when 

required. 
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